背景
【Deployment的podTemplate设置内核参数踩坑】业务开发需要修改pod的内核参数,这些参数被认为是 unsafe 的参数,需要修改kubelet 的 --allowed-unsafe-sysctls
中才可以用,同时要把pod指定调度到这些kubelet被修改过的节点。
在忘记设置节点亲和性或者nodeSelector的情况下,直接修改deployment,会造成什么样的问题。下面通过实验复现一遍。
实验
自 k8s 1.12 起,sysctls 特性 beta 并默认开启,允许用户在 pod 的 securityContext 中设置内核参数
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
securityContext:
sysctls:
- name: net.core.somaxconn
value: "1024"
containers:
- name: nginx
image: nginx
创建deplyemnt后,过五分钟后查看,集群创建了上千个pod
$ kubectl get pods
NAMEREADYSTATUSRESTARTSAGE
nginx-7fbbcfcc7d-4gmrg0/1SysctlForbidden021s
nginx-7fbbcfcc7d-6dfpm0/1SysctlForbidden017s
nginx-7fbbcfcc7d-6jkdn0/1SysctlForbidden014s
nginx-7fbbcfcc7d-6mf6z0/1SysctlForbidden016s
nginx-7fbbcfcc7d-6p2hs0/1SysctlForbidden021s
nginx-7fbbcfcc7d-cd7590/1SysctlForbidden012s
nginx-7fbbcfcc7d-ckqbl0/1SysctlForbidden016s
nginx-7fbbcfcc7d-gtvq40/1SysctlForbidden016s
nginx-7fbbcfcc7d-jbv2p0/1SysctlForbidden018s
nginx-7fbbcfcc7d-jdh840/1SysctlForbidden018s
nginx-7fbbcfcc7d-kmd9p0/1SysctlForbidden020s
nginx-7fbbcfcc7d-lcp6k0/1SysctlForbidden015s
nginx-7fbbcfcc7d-lsdlx0/1SysctlForbidden015s
nginx-7fbbcfcc7d-mbd740/1SysctlForbidden019s
nginx-7fbbcfcc7d-mbjnf0/1SysctlForbidden018s
nginx-7fbbcfcc7d-mmbj70/1SysctlForbidden021s
nginx-7fbbcfcc7d-n2ndn0/1SysctlForbidden021s
nginx-7fbbcfcc7d-rhjmp0/1SysctlForbidden014s
nginx-7fbbcfcc7d-rznhl0/1SysctlForbidden013s
nginx-7fbbcfcc7d-sfrl90/1SysctlForbidden021s
nginx-7fbbcfcc7d-t9bkk0/1SysctlForbidden019s
nginx-7fbbcfcc7d-vd6x80/1SysctlForbidden017s
nginx-7fbbcfcc7d-vt2jh0/1SysctlForbidden021s
nginx-7fbbcfcc7d-w4l7n0/1SysctlForbidden020s
nginx-7fbbcfcc7d-w5sgq0/1SysctlForbidden014s
nginx-7fbbcfcc7d-wlf2c0/1SysctlForbidden013s
nginx-7fbbcfcc7d-xh22t0/1SysctlForbidden021s
处理方法
kubectl scale deployment --replicas=0 nginx
kubectl delete pods -l app=nginx
总结 为pod设置内核参数前先创建一个临时pod验证过再去修改deployment,避免创建大批量无效的pod。
推荐阅读
- k8s学习|k8s之 常见面试题汇总
- Kubernetes学习|kubernetes学习(15)---HPA、Label和Selector
- k8s学习|K8S学习之容器探测 livenessProbe、readinessProbe、startupProbe、lifecycle
- docker|docker和k8s面试题总结(未完待续)
- 运维|云原生技术(Kubernetes)
- 技术体系|云原生核心技术之(Kubernetes)
- 云原生系列技术|云原生系列技术(六)(Kubernetes 架构及核心组件详解)
- 技术交流|【云原生】Kubernetes(k8s)的架构与组件介绍
- docker|mac安装docker-desktop,国内启用k8s